Appendix

CALLIFORNIA STATE AUDITOR’S SURVEY OF REPORTING ENTITIES THAT REPORTED THEIR LEVELS OF COMPLIANCE WITH SECURITY STANDARDS IN 2014 TO THE CALIFORNIA DEPARTMENT OF TECHNOLOGY

We surveyed 101 state entities under the direct authority of the governor (reporting entities) that certified their levels of compliance with the requirements in Chapter 5300 of the State Administrative Manual (security standards) to the California Department of Technology (technology department) in 2014.11 In an effort to protect the State’s information assets, we have chosen not to publicly disclose the names of the reporting entities that we surveyed; instead, we assigned each reporting entity a number. In tables A.1 and A.2, we summarize 77 survey respondents’ self-reported levels of compliance with 17 security standards that we placed into the following categories: information asset management, risk management, information security program management, information security incident management, and technology recovery. We grouped the remaining 47 security standards into the category of Other Information Security Requirements. In addition, tables A.1 and A.2 identify the types of information each reporting entity collects, stores, or maintains. Table A.1 focuses on the 41 survey respondents who completed our survey and reported to the technology department in 2014 that they were fully compliant with the security standards. Table A.2 focuses on the 36 survey respondents who completed our survey and reported to the technology department in 2014 that they were not fully compliant with the security standards. Four additional reporting entities partially responded to our survey answering some questions, but did not identify their specific levels of compliance with each of the 64 sections of the security standards. Thus, we excluded these four reporting entities from the tables. We list the remaining 20 state entities that did not respond to our information security survey in Table A.3.

Table A.1

Survey Responses From Entities that Reported Full Compliance With the California Department of Technology’s Security Standards in 2014

Collects, Stores, or Maintains

Compliance Levels the Reporting Entities Identified in Our Survey

Reporting Entity

Personal Information or Health Information Protected by Law*

Confidential Financial Data*

Other Sensitive Data*

Information Asset Management

Risk Management

Information Security Program Management

Information Security Incident Management

Technology Recovery

Other Information Security Requirements

01

02

Yes

Yes

Yes

03

04

Yes

05

Yes

Yes

Yes

06

07

08

Yes

09

Yes

Yes

10

11

Yes

12

Yes

13

Yes

14

Yes

15

Yes

Yes

16

Yes

Yes

17

Yes

18

Yes

Yes

19

Yes

Yes

20

Yes

21

Yes

22

Yes

23

Yes

Yes

Yes

24

25

Yes

26

Yes

27

Yes

Yes

28

Yes

29

Yes

Yes

Yes

30

Yes

Yes

Yes

31

32

Yes

Yes

33

Yes

34

Yes

Yes

Yes

35

Yes

Yes

Yes

36

Yes

37

Yes

38

Yes

Yes

39

Yes

Yes

40

41

Yes

Source: California State Auditor’s analysis of survey responses from 41 reporting entities certifying full compliance to the California Department of Technology in 2014.

* For entries in this column that do not contain the value “Yes”, the reporting entity asserted in its response to our survey that it did not collect, store, or maintain this type of data.

Green = Fully compliant: The reporting entity asserted it is fully compliant with all the requirements in Chapter 5300 of the State Administrative Manual (security standards) for the control area.

Yellow = Mostly compliant: The reporting entity asserted it has attained nearly full compliance with all of the security standards for the control area.

Orange = Partially compliant: The reporting entity asserted it has made measurable progress in complying, but has not addressed all of the security standards for the control area.

Red = Not compliant: The reporting entity asserted it has not yet addressed the security standards for the control area.

Table A.2

Survey Responses From Entities That Reported Noncompliance With the California Department of Technology’s Security Standards in 2014

Collects, Stores, or Maintains

Compliance Levels the Reporting Entities Identified in Our Survey

Reporting Entity

Personal Information or Health Information Protected by Law*

Confidential Financial Data*

Other Sensitive Data*

Information Asset Management

Risk Management

Information Security Program Management

Information Security Incident Management

Technology Recovery

Other Information Security Requirements

42

Yes

43

Yes

44

45

Yes

46

Yes

47

Yes

Yes

Yes

48

Yes

Yes

49

Yes

Yes

50

Yes

51

Yes

Yes

Yes

52

Yes

53

Yes

Yes

54

Yes

55

Yes

Yes

56

Yes

57

Yes

Yes

58

Yes

59

Yes

60

Yes

61

Yes

62

Yes

Yes

63

Yes

Yes

Yes

64

Yes

65

Yes

Yes

66

Yes

Yes

67

Yes

Yes

68

Yes

Yes

Yes

69

Yes

Yes

70

Yes

Yes

71

Yes

72

Yes

Yes

73

Yes

Yes

74

Yes

Yes

75

Yes

Yes

Yes

77

Yes

Yes

Source: California State Auditor’s analysis of survey responses from 36 reporting entities certifying noncompliance to the California Department of Technology in 2014.

For entries in this column that do not contain the value “Yes”, the reporting entity asserted in its response to our survey that it did not collect, store, or maintain this type of data.

Green = Fully compliant: The reporting entity asserted it is fully compliant with all the requirements in Chapter 5300 of the State Administrative Manual (security standards) for the control area.

Yellow = Mostly compliant: The reporting entity asserted it has attained nearly full compliance with all of the security standards for the control area.

Orange = Partially compliant: The reporting entity asserted it has made measurable progress in complying, but has not addressed all of the security standards for the control area.

Red = Not compliant: The reporting entity has not yet addressed the security standards for the control area.

Entities That Submitted Certifications to the California Department of Technology in 2014 but Did Not Respond to Our Information Security Survey

Entities

Baldwin Hills Conservancy

California Air Resources Board

California Department of Aging

California Department of Forestry and Fire Protection

California Department of General Services

California Department of Resources Recycling and Recovery

California Exposition and State Fair

California State Teachers’ Retirement System

Coachella Valley Mountains Conservancy

Delta Protection Commission

Native American Heritage Commission

Office of Administrative Law

Office of the Inspector General

Office of the State Public Defender

Public Employees’ Retirement System

Public Employment Relations Board

Sacramento-San Joaquin Delta Conservancy

San Diego River Conservancy

San Gabriel and Lower Los Angeles Rivers and Mountains Conservancy

Tahoe Regional Planning Agency

Footnotes

11 The 101 reporting entities we surveyed included entities that state law requires to report to the technology department each year, as well as some entities that voluntarily reported to the technology department in 2014. Go back to text